oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Add ocsp glue, use new _hx509_verify_signature_bitstring, add eku

Browse Source 
checking function.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16883 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-03-31 22:03:13 +00:00
parent d1bf4b78e6
commit 40164d5a9e
1 changed files with 80 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
lib/hx509/cert.c
View File

@@ -103,6 +103,8 @@ hx509_context_init(hx509_context *context)
ENGINE_add_conf_module(); ENGINE_add_conf_module();
(*context)->ocsp_time_diff = 5 * 60;
return 0; return 0;
} }
@@ -405,6 +407,24 @@ find_extension_subject_alt_name(const Certificate *cert, int *i,
sa, &size); sa, &size);
} }
static int
find_extension_eku(const Certificate *cert, ExtKeyUsage *eku)
{
const Extension *e;
size_t size;
int i = 0;
memset(eku, 0, sizeof(*eku));
e = find_extension(cert, oid_id_x509_ce_extKeyUsage(), &i);
if (e == NULL)
return HX509_EXTENSION_NOT_FOUND;
return decode_ExtKeyUsage(e->extnValue.data,
e->extnValue.length,
eku, &size);
}
static int static int
add_to_list(hx509_octet_string_list *list, heim_octet_string *entry) add_to_list(hx509_octet_string_list *list, heim_octet_string *entry)
{ {
@@ -1254,23 +1274,42 @@ hx509_verify_path(hx509_context context,
*/ */
if (ctx->revoke_ctx) { if (ctx->revoke_ctx) {
hx509_certs cacerts; hx509_certs certs;
ret = hx509_certs_init(context, "MEMORY:cacerts", 0, NULL, &cacerts); ret = hx509_certs_init(context, "MEMORY:revoke-certs", 0,
NULL, &certs);
for (i = 0; i < path.len; i++)
hx509_certs_add(context, cacerts, path.val[i]);
for (i = 0; i < path.len; i++) {
ret = hx509_revoke_verify(context,
ctx->revoke_ctx,
cacerts,
ctx->time_now,
path.val[i]);
if (ret) if (ret)
goto out; goto out;
for (i = 0; i < path.len; i++) {
ret = hx509_certs_add(context, certs, path.val[i]);
if (ret) {
hx509_certs_free(&certs);
goto out;
} }
} }
ret = hx509_certs_merge(context, certs, chain);
if (ret) {
hx509_certs_free(&certs);
goto out;
}
for (i = 0; i < path.len - 1; i++) {
int parent = (i < path.len - 1) ? i + 1 : i;
ret = hx509_revoke_verify(context,
ctx->revoke_ctx,
certs,
ctx->time_now,
path.val[i],
path.val[parent]);
if (ret) {
hx509_certs_free(&certs);
goto out;
}
}
hx509_certs_free(&certs);
}
#if 0 #if 0
for (i = path.len - 1; i >= 0; i--) { for (i = path.len - 1; i >= 0; i--) {
@@ -1285,24 +1324,16 @@ hx509_verify_path(hx509_context context,
for (i = path.len - 1; i >= 0; i--) { for (i = path.len - 1; i >= 0; i--) {
Certificate *signer, *c; Certificate *signer, *c;
heim_octet_string os;
c = _hx509_get_cert(path.val[i]); c = _hx509_get_cert(path.val[i]);
/* is last in chain and thus the self-signed */ /* is last in chain and thus the self-signed */
signer = path.val[i == path.len - 1 ? i : i + 1]->data; signer = path.val[i == path.len - 1 ? i : i + 1]->data;
if (c->signatureValue.length & 7) {
ret = EINVAL;
break;
}
os.data = c->signatureValue.data;
os.length = c->signatureValue.length / 8;
/* verify signatureValue */ /* verify signatureValue */
ret = _hx509_verify_signature(signer, ret = _hx509_verify_signature_bitstring(signer,
&c->signatureAlgorithm, &c->signatureAlgorithm,
&c->tbsCertificate._save, &c->tbsCertificate._save,
&os); &c->signatureValue);
if (ret) { if (ret) {
break; break;
} }
@@ -1563,3 +1594,32 @@ _hx509_query_match_cert(const hx509_query *q, hx509_cert cert)
return 1; return 1;
} }
int
hx509_cert_check_eku(hx509_context context, hx509_cert cert,
const heim_oid *eku, int allow_any_eku)
{
ExtKeyUsage e;
int ret, i;
ret = find_extension_eku(_hx509_get_cert(cert), &e);
if (ret)
return ret;
for (i = 0; i < e.len; i++) {
if (heim_oid_cmp(eku, &e.val[i]) == 0) {
free_ExtKeyUsage(&e);
return 0;
}
if (allow_any_eku) {
#if 0
if (heim_oid_cmp(id_any_eku, &e.val[i]) == 0) {
free_ExtKeyUsage(&e);
return 0;
}
#endif
}
}
free_ExtKeyUsage(&e);
return -1;
}